{
  config,
  flake,
  ...
}:
let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.users.${user0}) email;
  inherit (flake.config.services) instances;
  domain0 = instances.web.domains.url0;
  domain1 = instances.web.domains.url1;
  domain4 = flake.inputs.linkpage.secrets.domains.projectsite;
  service = instances.acme;
  dns0 = instances.web.dns.provider0;
  dns1 = instances.web.dns.provider1;
  dns0Path = "dns/${dns0}";
  dns1Path = "dns/${dns1}";
  instanceName = service: (instances.${service}.subdomain);
  dnsConfig = provider: dns: {
    dnsProvider = dns;
    directory = instances.acme.paths.path0;
    environmentFile = config.sops.secrets.${provider}.path;
  };
in
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = email.address0;
      server = "https://acme-v02.api.letsencrypt.org/directory";
    };
    certs = builtins.listToAttrs (
      (map
        (service: {
          name = "${instanceName service}.${domain0}";
          value = dnsConfig dns0Path dns0;
        })
        [
          instances.audiobookshelf.name
          instances.glance.name
          instances.jellyfin.name
          instances.minecraft.name
          instances.ollama.name
          instances.searx.name
          instances.syncthing.name
          instances.vaultwarden.name
          instances.prompter.name
          instances.comfyui.name
          instances.firefly-iii.name
          instances.nextcloud.name
          instances.opencloud.name
        ]
      )
      ++ (map
        (service: {
          name = "${instanceName service}.${domain1}";
          value = dnsConfig dns0Path dns0;
        })
        [
          instances.forgejo.name
          instances.mastodon.name
          instances.peertube.name
        ]
      )
      ++ (map
        (name: {
          name = name;
          value = dnsConfig dns0Path dns0;
        })
        [
          domain0
          domain1
        ]
      )
      ++ (map
        (name: {
          name = name;
          value = dnsConfig dns1Path dns1;
        })
        [
          domain4
        ]
      )
    );
  };
  sops =
    let
      dnsList = [
        dns0
        dns1
      ];
      secretList = [
        "pass"
      ];
      sopsPath = secret: dns: {
        path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
        owner = "root";
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        builtins.concatLists (
          map (
            dns:
            map (secret: {
              name = "dns/${dns}";
              value = sopsPath secret dns;
            }) secretList
          ) dnsList
        )
      );
    };

  systemd = {
    tmpfiles.rules = [
      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
    ];
  };

}